From e040b31b74d8a821e020be4e73e6c880b95c9543 Mon Sep 17 00:00:00 2001 From: Lukas Holota Date: Thu, 27 Jun 2024 11:54:22 +0200 Subject: [PATCH 1/5] Redirect script --- roles/pve_acme/handlers/main.yml | 8 -- roles/pve_acme/tasks/acme-domain.yml | 14 ---- roles/pve_acme/tasks/main.yml | 76 ------------------- roles/pve_acme/vars/main.yml | 3 - roles/pve_https_forward/tasks/main.yml | 10 ++- roles/pve_local_storage/tasks/main.yml | 21 ----- roles/pve_local_storage/tasks/snippets.yml | 17 ----- roles/pve_pci_passthrough/handlers/main.yml | 9 --- .../tasks/pci-passthrough.yml | 27 ------- roles/pve_smtp/handlers/main.yml | 4 - roles/pve_smtp/tasks/main.yml | 43 ----------- roles/pve_sso_openid/tasks/main.yml | 32 -------- roles/pve_users/tasks/main.yml | 23 ------ roles/pve_users/tasks/user-permissions.yml | 11 --- 14 files changed, 9 insertions(+), 289 deletions(-) delete mode 100644 roles/pve_acme/handlers/main.yml delete mode 100644 roles/pve_acme/tasks/acme-domain.yml delete mode 100644 roles/pve_acme/tasks/main.yml delete mode 100644 roles/pve_acme/vars/main.yml delete mode 100644 roles/pve_local_storage/tasks/main.yml delete mode 100644 roles/pve_local_storage/tasks/snippets.yml delete mode 100644 roles/pve_pci_passthrough/handlers/main.yml delete mode 100644 roles/pve_pci_passthrough/tasks/pci-passthrough.yml delete mode 100644 roles/pve_smtp/handlers/main.yml delete mode 100644 roles/pve_smtp/tasks/main.yml delete mode 100644 roles/pve_sso_openid/tasks/main.yml delete mode 100644 roles/pve_users/tasks/main.yml delete mode 100644 roles/pve_users/tasks/user-permissions.yml diff --git a/roles/pve_acme/handlers/main.yml b/roles/pve_acme/handlers/main.yml deleted file mode 100644 index 2c2c915..0000000 --- a/roles/pve_acme/handlers/main.yml +++ /dev/null @@ -1,8 +0,0 @@ -- name: Order ACME certificates - retries: 5 - delay: 10 - register: acme_order - until: acme_order.rc == 0 - changed_when: true # Called only when the underlying configuration changes - ansible.builtin.command: - cmd: pvenode acme cert order diff --git a/roles/pve_acme/tasks/acme-domain.yml b/roles/pve_acme/tasks/acme-domain.yml deleted file mode 100644 index f4fa3e8..0000000 --- a/roles/pve_acme/tasks/acme-domain.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: Check if ACME domain is already configured - ansible.builtin.command: - cmd: "grep -Fxq \"acmedomain{{ index }}: domain={{ domain }},plugin={{ pve_acme_plugin_name }}\" /etc/pve/local/config" - register: acme_domain_list - check_mode: false - ignore_errors: true - changed_when: false - -- name: Add ACME domain configuration - ansible.builtin.command: - cmd: pvenode config set --acmedomain{{ index }} domain={{ domain }},plugin={{ pve_acme_plugin_name }} - when: acme_domain_list.rc != 0 - changed_when: true - notify: Order ACME certificates diff --git a/roles/pve_acme/tasks/main.yml b/roles/pve_acme/tasks/main.yml deleted file mode 100644 index a379433..0000000 --- a/roles/pve_acme/tasks/main.yml +++ /dev/null @@ -1,76 +0,0 @@ -# Inspired by https://github.com/simoncaron/ansible-role-pve_acme/blob/master/tasks/pve-acme.yml -- name: Install required python modules - ansible.builtin.apt: - name: - - python3-pexpect - -- name: Check if default ACME plugin is registered - ansible.builtin.command: - cmd: pvenode acme plugin list - register: acme_plugin_list - changed_when: false - ignore_errors: true - -- name: Create config file - ansible.builtin.copy: - content: | - CF_Token={{ pve_acme_cloudflare_token }} - CF_Account_ID={{ pve_acme_cloudflare_account_id }} - dest: "/tmp/acme.data" - mode: "0600" - when: pve_acme_plugin_name | string not in acme_plugin_list.stdout - no_log: true - -- name: Add ACME plugin configuration - run_once: true - ansible.builtin.command: - cmd: "pvenode acme plugin add dns {{ pve_acme_plugin_name }} --api {{ pve_acme_plugin_api }} --data /tmp/acme.data" - when: pve_acme_plugin_name | string not in acme_plugin_list.stdout - changed_when: true - -- name: Check if default ACME account is registered - ansible.builtin.command: - cmd: pvenode acme account list - register: acme_account_list - changed_when: false - ignore_errors: true - -- name: Add ACME account configuration - run_once: true - ansible.builtin.expect: - # yamllint disable rule:line-length - command: "pvenode acme account register {{ pve_acme_account_name }} {{ pve_acme_account_email }} --directory {{ 'https://acme-staging-v02.api.letsencrypt.org/directory' if (pve_acme_use_staging | default(true)) else 'https://acme-v02.api.letsencrypt.org/directory' }}" - # yamllint enable rule:line-length - responses: - Do you agree to the above terms.*: y - when: acme_account_list.stdout | length == 0 - notify: Order ACME certificates - -- name: Check active ACME account - register: acme_account_active - changed_when: false - ansible.builtin.command: - cmd: "pvenode config get --property acme" - -- name: Set ACME account - ansible.builtin.command: - cmd: "pvenode config set --acme \"account={{ pve_acme_account_name }}\"" - when: pve_acme_account_name | string not in acme_account_active.stdout - changed_when: true - -- name: Configure ACME domains for current node - ansible.builtin.include_tasks: - file: acme-domain.yml - vars: - index: "0" - domain: "{{ item }}" - loop: - - "{{ ansible_hostname }}.{{ pve_acme_root_domain }}" - -- name: Configure ACME domains for cluster domain - when: pve_acme_proxmox_hostname is defined - ansible.builtin.include_tasks: - file: acme-domain.yml - vars: - index: "1" - domain: "{{ pve_acme_proxmox_hostname }}.{{ pve_acme_root_domain }}" diff --git a/roles/pve_acme/vars/main.yml b/roles/pve_acme/vars/main.yml deleted file mode 100644 index b18dd91..0000000 --- a/roles/pve_acme/vars/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -pve_acme_plugin_name: cloudflare -pve_acme_plugin_api: cf -pve_acme_account_name: default diff --git a/roles/pve_https_forward/tasks/main.yml b/roles/pve_https_forward/tasks/main.yml index dcb0363..9e7daa8 100644 --- a/roles/pve_https_forward/tasks/main.yml +++ b/roles/pve_https_forward/tasks/main.yml @@ -19,6 +19,14 @@ set -o pipefail iptables-save -t nat | grep 'Proxmox' +- name: Create iptables directory + ansible.builtin.file: + path: /etc/iptables + state: directory + owner: root + group: root + mode: "0640" + - name: "Save iptables state to a file" ansible.builtin.copy: dest: /etc/iptables/nat.rules.v4 @@ -40,4 +48,4 @@ #!/bin/sh iptables-restore -n < /etc/iptables/nat.rules.v4 # Avoid duplicate rules - iptables-save | uniq | iptables-restore + iptables-save | uniq | iptables-restore \ No newline at end of file diff --git a/roles/pve_local_storage/tasks/main.yml b/roles/pve_local_storage/tasks/main.yml deleted file mode 100644 index 7719b6a..0000000 --- a/roles/pve_local_storage/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: Install required python packages - ansible.builtin.package: - name: - - python3-proxmoxer - state: present - -- name: Get local storage info - community.general.proxmox_storage_info: - api_user: "{{ pve_local_storage_api_user }}" - api_password: "{{ pve_local_storage_api_password }}" - api_host: 127.0.0.1 - name: local - register: pve_local_storage_info - -- name: Configure snippets storage - ansible.builtin.include_tasks: - file: snippets.yml - -- name: Set local storage path to facts - ansible.builtin.set_fact: - pve_local_storage_path: "{{ pve_local_storage_info.proxmox_storages[0].path }}" diff --git a/roles/pve_local_storage/tasks/snippets.yml b/roles/pve_local_storage/tasks/snippets.yml deleted file mode 100644 index e3d6fc7..0000000 --- a/roles/pve_local_storage/tasks/snippets.yml +++ /dev/null @@ -1,17 +0,0 @@ -- name: Add snippets to storage contents - when: not 'snippets' in pve_local_storage_info.proxmox_storages[0].content - ansible.builtin.lineinfile: - path: /etc/pve/storage.cfg - create: false - firstmatch: true - insertafter: "^\\W*dir:\\W*local$" - regex: "^\\W*content\\W*(.*)$" - line: " content {{ (pve_local_storage_info.proxmox_storages[0].content + ['snippets']) | join(',') }}" - -- name: Create snippets directory - ansible.builtin.file: - path: "{{ pve_local_storage_info.proxmox_storages[0].path }}/snippets" - state: directory - owner: root - group: root - mode: "0750" diff --git a/roles/pve_pci_passthrough/handlers/main.yml b/roles/pve_pci_passthrough/handlers/main.yml deleted file mode 100644 index 7a48437..0000000 --- a/roles/pve_pci_passthrough/handlers/main.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: Update initamfs image - ansible.builtin.command: - cmd: update-initramfs -u -k all - changed_when: true - -- name: Reboot machine - ansible.builtin.reboot: - reboot_timeout: 500 - throttle: 1 diff --git a/roles/pve_pci_passthrough/tasks/pci-passthrough.yml b/roles/pve_pci_passthrough/tasks/pci-passthrough.yml deleted file mode 100644 index 2c01d7b..0000000 --- a/roles/pve_pci_passthrough/tasks/pci-passthrough.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: Add kernel boot parameters - notify: - - Update initamfs image - - Reboot machine - ansible.builtin.replace: - backup: true - dest: /etc/kernel/cmdline - regexp: '^(root=(?!.*\b{{ item }}\b).*)$' - replace: '\1 {{ item }}' - loop: - - "intel-iommu=on" - - "iommu=pt" - when: pve_pci_passhthrough_enabled is defined and pve_pci_passhthrough_enabled - -- name: Load required kernel modules - notify: - - Update initamfs image - - Reboot machine - ansible.builtin.lineinfile: - path: /etc/modules - line: "{{ item }}" - loop: - - vfio - - vfio_iommu_type1 - - vfio_pci - - vfio_virqfd - when: pve_pci_passhthrough_enabled is defined and pve_pci_passhthrough_enabled diff --git a/roles/pve_smtp/handlers/main.yml b/roles/pve_smtp/handlers/main.yml deleted file mode 100644 index 1577b1f..0000000 --- a/roles/pve_smtp/handlers/main.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: Restart postfix - ansible.builtin.service: - name: postfix - state: restarted diff --git a/roles/pve_smtp/tasks/main.yml b/roles/pve_smtp/tasks/main.yml deleted file mode 100644 index 928d89f..0000000 --- a/roles/pve_smtp/tasks/main.yml +++ /dev/null @@ -1,43 +0,0 @@ -- name: Configure postfix smtp relay - ansible.builtin.lineinfile: - path: /etc/postfix/main.cf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - regexp: "^relayhost\\s*=" - line: "relayhost = {{ pve_smtp_host }}:{{ pve_smtp_port }}" - - regexp: "^smtp_use_tls\\s*=" - line: "smtp_use_tls = {{ 'yes' if pve_smtp_tls else 'no' }}" - - regexp: "^smtp_sasl_auth_enable\\s*=" - line: "smtp_sasl_auth_enable = {{ 'yes' if (pve_smtp_username is defined and pve_smtp_username | length) else 'no' }}" - - regexp: "^smtp_sasl_security_options\\s*=" - line: "smtp_sasl_security_options = {{ 'nonanonymous' if (pve_smtp_username is defined and pve_smtp_username | length) else '' }}" - - regexp: "^smtp_sasl_password_maps\\s*=" - line: "smtp_sasl_password_maps = /etc/postfix/sasl_passwd" - - regexp: "^smtp_tls_CAfile\\s*=" - line: "smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt" - notify: - - Restart postfix - -- name: Configure postfix smtp authentication # noqa no-tabs - ansible.builtin.copy: - dest: /etc/postfix/sasl_passwd.cf - force: true - owner: root - group: root - mode: "0600" - content: | - # This file is managed by Ansible. All changes will be lost. - - {{ pve_smtp_host }}:{{ pve_smtp_port }} {{ pve_smtp_username }}:{{ pve_smtp_password }} - when: pve_smtp_username is defined and pve_smtp_username | length - notify: - - Restart postfix - -- name: Remove postfix smtp authentication when not used - ansible.builtin.file: - dest: /etc/postfix/sasl_passwd.cf - state: absent - when: pve_smtp_username is not defined or not pve_smtp_username | length - notify: - - Restart postfix diff --git a/roles/pve_sso_openid/tasks/main.yml b/roles/pve_sso_openid/tasks/main.yml deleted file mode 100644 index b6aa256..0000000 --- a/roles/pve_sso_openid/tasks/main.yml +++ /dev/null @@ -1,32 +0,0 @@ -- name: Check if domains.cfg exists - register: domains_cfg - ansible.builtin.stat: - path: /etc/pve/domains.cfg - -- name: Create default domains.cfg if it does not exist - run_once: true # Cluster level command - when: not domains_cfg.stat.exists - changed_when: not domains_cfg.stat.exists - ansible.builtin.command: - cmd: pveum realm modify pam --default 0 - -# Note: The empty line in the template below must remain, otherwise jinja puts the last two lines on one which creates an invalid file -- name: Define PVE realm - run_once: true - no_log: true - ansible.builtin.blockinfile: - create: false - path: /etc/pve/domains.cfg - marker: "# {mark} ANSIBLE MANAGED BLOCK (OpenID {{ item.name }})" - block: | - openid: {{ item.name }} - comment {{ item.display_name }} - client-id {{ item.client_id }} - client-key {{ item.client_secret }} - issuer-url {{ item.url }} - autocreate {{ '1' if item.autocreate_users else '0' }} - default {{ '1' if pve_default_realm_name == item.name else '0' }} - {% if 'username_claim' in item %}username-claim {{ item.username_claim }}{% endif %} - - {% if 'scopes' in item %}scopes {{ item.scopes }}{% endif %} - with_items: "{{ pve_openid_realms }}" diff --git a/roles/pve_users/tasks/main.yml b/roles/pve_users/tasks/main.yml deleted file mode 100644 index b0c57e7..0000000 --- a/roles/pve_users/tasks/main.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: Create users - ansible.builtin.lineinfile: - path: /etc/pve/user.cfg - create: false - regex: "^user:{{ item.username }}@{{ item.realm }}:(.*)" - # hardcoded 0 is expiration time, ignored by design - line: "user:{{ item.username }}@{{ item.realm }}:{{ '1' if item.enabled else '0' }}:0:{{ item.first_name }}:{{ item.last_name }}:{{ item.email }}:::" - with_items: "{{ pve_users }}" - when: pve_users is defined - -- name: Assign roles to users - ansible.builtin.include_tasks: - file: user-permissions.yml - with_items: "{{ pve_users }}" - when: pve_users is defined - vars: - user: "{{ item }}" - -- name: Remove root@pam user - ansible.builtin.lineinfile: - path: /etc/pve/user.cfg - state: absent - regex: "^user:root@pam:(.*)" diff --git a/roles/pve_users/tasks/user-permissions.yml b/roles/pve_users/tasks/user-permissions.yml deleted file mode 100644 index f150c0d..0000000 --- a/roles/pve_users/tasks/user-permissions.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: Assign scoped roles to users - no_log: true - ansible.builtin.lineinfile: - path: /etc/pve/user.cfg - create: false - regex: "^acl:1:{{ permission.scope | default('/') }}:{{ user.username }}@{{ user.realm }}:(.*)" - line: "acl:1:{{ permission.scope | default('/') }}:{{ user.username }}@{{ user.realm }}:{{ permission.roles | join(',') }}:" - insertafter: "^user:.*" - loop: "{{ user.permissions }}" - loop_control: - loop_var: permission From 69606780692fab57f9001e14b9b5a344d965144b Mon Sep 17 00:00:00 2001 From: Lukas Holota Date: Thu, 27 Jun 2024 12:12:07 +0200 Subject: [PATCH 2/5] Fix --- roles/pve_https_forward/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/pve_https_forward/tasks/main.yml b/roles/pve_https_forward/tasks/main.yml index 9e7daa8..ed3df5b 100644 --- a/roles/pve_https_forward/tasks/main.yml +++ b/roles/pve_https_forward/tasks/main.yml @@ -3,9 +3,9 @@ table: nat chain: PREROUTING protocol: tcp + destination: "{{ ansible_host }}" # To avoid collision with other services exposing the same port on a different ip destination_port: 443 to_ports: 8006 - source: "{{ ansible_host }}" # To avoid collision with other services exposing the same port on a different ip jump: REDIRECT comment: "Enable Proxmox admin interface on 443" in_interface: vmbr0 # Must be specified to prevent docker containers calling 443 to be redirected to local From d3c0467cbd5a6a6a8ac2b2ecc182b05fab86eee0 Mon Sep 17 00:00:00 2001 From: Lukas Holota Date: Fri, 19 Jul 2024 16:26:24 +0200 Subject: [PATCH 3/5] Checkpoint --- roles/pve_apt/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/pve_apt/tasks/main.yml b/roles/pve_apt/tasks/main.yml index 2b6973f..8dcbdb2 100644 --- a/roles/pve_apt/tasks/main.yml +++ b/roles/pve_apt/tasks/main.yml @@ -20,7 +20,7 @@ dest: /etc/apt/sources.list.d/pve-no-subscription.list owner: root group: root - mode: "0640" + mode: "0644" content: | deb http://download.proxmox.com/debian/pve {{ debver.stdout }} pve-no-subscription From 952a719ab5d4791eba22304ed4a0458f6e5a3b51 Mon Sep 17 00:00:00 2001 From: Lukas Holota Date: Tue, 8 Oct 2024 19:04:04 +0200 Subject: [PATCH 4/5] Lint fix --- roles/pve_https_forward/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/pve_https_forward/tasks/main.yml b/roles/pve_https_forward/tasks/main.yml index ed3df5b..25b3cc1 100644 --- a/roles/pve_https_forward/tasks/main.yml +++ b/roles/pve_https_forward/tasks/main.yml @@ -48,4 +48,4 @@ #!/bin/sh iptables-restore -n < /etc/iptables/nat.rules.v4 # Avoid duplicate rules - iptables-save | uniq | iptables-restore \ No newline at end of file + iptables-save | uniq | iptables-restore From e868063441179e37ef4b1a551b5178a083381430 Mon Sep 17 00:00:00 2001 From: Lukas Holota Date: Tue, 8 Oct 2024 19:05:34 +0200 Subject: [PATCH 5/5] Lint fix 2 --- meta/runtime.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/runtime.yml b/meta/runtime.yml index 6d19ccc..5f8d47e 100644 --- a/meta/runtime.yml +++ b/meta/runtime.yml @@ -1,2 +1,2 @@ --- -requires_ansible: '>=2.14.0' +requires_ansible: '>=2.15.0'